9/25/2023 0 Comments Lastpass newsBe sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. LastPass is sending email notifications to all users about the incident and says it is working with authorities and security forensic experts. LastPass last week revealed the extent of that data. That's because if the hackers have both, they could conceivably open your email and click the verification link for you. But if you've used your master password as your email password, you're "in big trouble," Beardsley warned. The company said "LastPass user accounts are locked down," and it is requiring that all users who log in from a new device or IP address first verify their account by email, the way one often has to when first signing up for a new site or service. In an unfortunate twist, this also poses the chance to undermine one of LastPass's attempts to help customers protect themselves post-hack. This is precisely what LastPass's service intends to solve, by encouraging unique passwords for sites." "This is precisely the reason why one shouldn't reuse passwords once one site gets compromised, all of your accounts that use that password are now exposed as well. Like others, it offers free and premium tiers, with apps for. "Thus, if you're a LastPass user, and you've used your master password somewhere else (also associated with your email address), then you're going to want to change that password on both LastPass and your other sites," Beardsley said. Where you go from here depends on whether you remember your master password. LastPass, launched in 2008, is one of the older and more widely used password managers, with 25 million customers as of September 2020. The attackers got hold of email addresses, so if you've used the same password for any other login associated with your email address, once they figure it out, they can just log in to other accounts linked to that address. LastPass explains its now clear this attack is linked to the August breach, but that begs the question how an attack of this magnitude flew under the companys radar. The LastPass statement assured that "because encrypted data was not taken, you do not need to change your passwords on sites stored in your LastPass vault." However, if you've used your master password on any other sites, that's a problem. (If your password is on the list of worst passwords on the Web, you're in the latter group.) Those with weak passwords should do so post haste. As users, the only prudent choice we are left with is to assume that our passwords will eventually be cracked."Īnyone with a LastPass account is advised to change his master password. Jeremy Spilman, CTO of TapLink, which provides its own kind of password security services, added, "With potentially massive botnets at their disposal, it's difficult to know for sure how fast (attackers) are cracking passwords, but usually it's just a matter of time. "LastPass uses some hefty encryption on (its authentication hashes), so it will take a while to recover master passwords with dedicated cracking gear," explained Tod Beardsley, security engineering manager at online security firm Rapid7, "but easy passwords will fall easily."
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |